Passageways OnSemble In House customers TLS information

30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.

What is SSL/early TLS?

Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems. It was originally developed as Secure Sockets Layer (SSL) by Netscape in the early 1990s. Standardized by the Internet Engineering Taskforce (IETF), TLS has undergone several revisions to improve security to block known attacks and add support for new cryptographic algorithms, with major revisions to SSL 3.0 in 1996, TLS 1.0 in 1990, TLS 1.1 in 2006, and TLS 1.2 in 2008.

What is the risk of using SSL/early TLS?

There are many serious vulnerabilities in SSL and early TLS that left unaddressed put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple examples of how attackers have taken advantage of weaknesses in SSL and early TLS to compromise organizations.

According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.

What does this mean?

Passageways recommends that In house OnSemble servers should stop accepting TLS based HTTPS connections made using TLS versions 1.0 and 1.1. After you have made this change, user and applications attempting to connect with older versions of TLS will not be able to establish a secure connection and be unable to access Passageways products.

Expressway exception for TLS

Due to a limitation in the installer technology Expressway connections will require TSL 1.0 until later this year. The current steps will require that you enable TLS 1.0 on your server, perform the Express ways install, then disable TLS 1.0 to maintain TLS compliance.

What do I need to do?

Be sure that you are running on a modern browser, such as Internet Explorer 11, Mozilla Firefox 27, Google Chrome 30, or Apple Safari 7 or newer. If any of your personnel are not using one of these browser versions or newer, they will need to update to at least one of these versions.